I am not seeing SNORT picking up union select SQL injection attempts on my WAN interface even though the rules exist to inspect the packets any one else seen this and how did you resolve it? I added these custom rules to try and catch them but one always gets through so the guy hitting us is using attempting once per ip and moving on to a different ip any thoughts?

 

 

 

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL union select - possible sql injection attempt - GET parameter"; flow:to_server,established; content:"union"; fast_pattern:only; http_uri; content:"select"; nocase; http_uri; pcre:"/union\s+(all\s+)?select\s+/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,14876; reference:bugtraq,21227; reference:bugtraq,22582; reference:bugtraq,24067; reference:cve,2005-3004; reference:cve,2006-0065; reference:cve,2006-0154; reference:cve,2006-2835; reference:cve,2006-6268; reference:cve,2007-1021; reference:cve,2007-2824; reference:cve,2011-1667; classtype:misc-attack; sid:13990; rev:25;)

 

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL Suspicious SQL ansi_padding option"; flow:to_server,established; content:"a|00|n|00|s|00|i|00|_|00|p|00|a|00|d|00|d|00|i|00|n|00|g|00|"; pcre:"/s\x00e\x00t\x00(\s\x00)+a\x00n\x00s\x00i\x00_\x00p\x00a\x00d\x00d\x00i\x00n\x00g\x00(\s\x00)+o\x00f\x00f\x00/smi"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2008-0106; reference:url,msdn.microsoft.com/en-us/library/ms187403.aspx; classtype:policy-violation; sid:16075; rev:7;)

 

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql insert injection attempt - GET parameter"; flow:to_server,established; content:"insert"; fast_pattern:only; http_uri; pcre:"/insert\s+into\s+[^\/\\]+/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-2998; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:13513; rev:19;)

 

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL union select - possible sql injection attempt - POST parameter"; flow:to_server,established; content:"union"; fast_pattern:only; http_client_body; content:"select"; nocase; http_client_body; pcre:"/union(%20|\+)+(all(%20|\+)+)?select(%20|\+)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:misc-attack; sid:15874; rev:13;)

 

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Saxum Picker SQL injection attempt"; flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"option=com_saxumpicker"; fast_pattern:only; http_uri; content:"publicid="; nocase; http_uri; pcre:"/[?&]publicid=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-7178; classtype:web-application-attack; sid:46338; rev:1;)

 

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Saxum Picker SQL injection attempt"; flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"option=com_saxumpicker"; fast_pattern:only; http_client_body; content:"publicid="; nocase; http_client_body; pcre:"/(^|&)publicid=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-7178; classtype:web-application-attack; sid:46337; rev:1;)

 

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL char and sysobjects - possible sql injection recon attempt"; flow:to_server,established; content:"CHAR|28|"; nocase; http_uri; content:"CHAR|28|"; distance:0; nocase; http_uri; content:"CHAR|28|"; distance:0; nocase; http_uri; content:"[sysobjects]"; distance:0; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:15584; rev:8;)

 

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL Suspicious SQL ansi_padding option"; flow:to_server,established; content:"ansi_padding"; pcre:"/set\s+ansi_padding\s+off/smi"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2008-0106; reference:url,msdn.microsoft.com/en-us/library/ms187403.aspx; classtype:policy-violation; sid:16074; rev:4;)

 

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql exec injection attempt - GET parameter"; flow:to_server,established; content:"exec"; fast_pattern:only; http_uri; pcre:"/exec\s+master/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:13512; rev:15;)

 

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql insert injection attempt - POST parameter"; flow:to_server,established; content:"insert "; fast_pattern:only; http_client_body; pcre:"/insert\s+into\s+[^\/\\]+/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:15875; rev:12;)

 

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql update injection attempt - GET parameter"; flow:to_server,established; content:"update"; fast_pattern:only; http_uri; pcre:"/update\s+[^\/\\]+set\s+[^\/\\]+/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:13514; rev:17;)

 

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic sql exec injection attempt - POST parameter"; flow:to_server,established; content:"exec "; fast_pattern; nocase; http_client_body; content:"master "; nocase; http_client_body; pcre:"/exec\s+master/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:15877; rev:9;)

 

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL union select - possible sql injection attempt - POST parameter"; flow:to_server,established; content:"union"; fast_pattern:only; http_client_body; content:"select"; http_client_body; content:"union select";nocase; http_client_body; pcre:"/union(%20|\+)+(all(%20|\+)+)?select(%20|\+)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:misc-attack; sid:15874; rev:13;)

 

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL generic convert injection attempt - GET parameter"; flow:to_server,established; content:"convert|28|"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:26925; rev:2;)

 

JEFF PRATT

Director Of Networking And Security

E.     jpratt@simplepart.com

O.     (404)620-9764 ext.120

C.     (678)572-9679


SimplePart

simplepart.com

84 Walton Street NW, Suite 400 | Atlanta, GA 30303


This message (including any attachments) is only for the use of the person(s) for whom it is intended. It may contain SimplePart confidential, proprietary and/or trade secret information. If you are not the intended recipient, you should not copy, distribute or use this information for any purpose, and you should delete this message and inform the sender immediately.